Security
Standards.
Security is not a feature we added. It is the foundation we built on. Every architectural decision across our platform reflects a security-first posture.
How We Protect Your Data
Encryption at Rest & in Transit
All data is encrypted using AES-256 at rest and TLS 1.3 in transit. Encryption keys are managed through a dedicated HSM-backed key management service with automatic rotation every 90 days.
Access Control & Zero Trust
We operate a Zero Trust architecture. Every request — internal and external — is authenticated, authorised, and continuously validated. Role-based access control (RBAC) is enforced at the data layer, not just the application layer.
SOC 2 Type II Certified
Outsource Online holds SOC 2 Type II certification across all five trust service criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Our audit reports are available to enterprise clients on request.
Continuous Threat Monitoring
24/7 SIEM monitoring with automated anomaly detection. Security events are triaged by our internal security team within 15 minutes. Critical incidents trigger immediate escalation protocols.
Infrastructure Isolation
Each project environment is provisioned in an isolated container with no lateral network access. Shared infrastructure between clients is architecturally impossible by design.
Penetration Testing
Annual third-party penetration tests across all external surfaces, supplemented by continuous automated scanning. All findings are remediated within SLA before the next audit cycle.
When Things Go Wrong
P0 — Critical
15 min response
Data breach, service-wide outage, or active compromise. Immediate escalation to security lead and executive team. Client notification within 1 hour.
P1 — High
1 hour response
Significant degradation of service or potential data exposure. Triage by security team within 1 hour. Client notification within 4 hours if data is at risk.
P2 — Medium
4 hours response
Non-critical anomaly or policy violation. Investigated and resolved within 4 hours. Documented in the audit log.
P3 — Low
24 hours response
Minor policy deviation or configuration drift detected by automated scanning. Remediated within 24 hours.
To report a security vulnerability, contact security@outsource.online. We operate a responsible disclosure policy and respond to all valid reports within 24 hours.